This guest post is by Matt Setter of MaltBlue.com.
Do you run a web-based business and collect data about your customers? If so, do you have professional practices in place to ensure the protection of that information and the privacy of your customers? No? Then ask not for whom the bell tolls, as it tolls for you—Privacy Breach Notification Laws are here.
Before you scramble to fire off an email to your service provider to disable your ecommerce facilities or remove all forms from your blog, don’t. If you’re running a small site or a modest-sized mailing list and don’t collect any information on your visitors, then please don’t be alarmed.
However, irrespective of the scope of your online presence, please take a few minutes to get yourself up to date on what privacy breach notification laws are, and how they impact you.
Despite how much we love all things web, we know that it can be a bit of a wild west out there. We hear reports of security breaches at companies big and small, such as the recent ones at both LinkedIn and eHarmony. But do we stop to think just how much impact these breaches have, and what our legal obligations are?
What happens if the password that the person used for one hacked account was the same one they use for many other accounts, or all of them? What if the attack was particularly malicious and the attackers decided to comb the information and carry out subsequent attacks based on the identified information?
What if, as a result of the attack(s), a civil case was brought against you for the damages caused to one or more of your customers? Are you prepared to deal with the security breach or the consequent legal ramifications?
As I said, we love the web. I sure do. We love its convenience, simplicity and immediateness. But it comes at a price—one most of us haven’t considered in too much depth.
What are the laws?
Lucky for us, some people have. In 2002 the ball started rolling in California, with Senator Joe Simitian, who authored a bill to require that businesses notify customers when a successful breach of their security occurs. This bill was amended in 2011 to become even stronger.
The bill states:
“notification to affected California residents will need to include, at a minimum:
- The name and contact information of the reporting agency, person or business;
- A list of the types of personal information that were or are reasonably believed to have been the subject of the breach;
- The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a Social Security number or a driver’s license or California identification card number;
and, to the extent it is possible to determine at the time the notice is provided:
- The date of the notice and any of the following:
- the date of the breach,
- the estimated date of the breach or
- the date range within which the breach occurred;
- Whether the notification was delayed because of a law enforcement investigation (if applicable); and
- A general description of the breach incident.
- In 2002 the European Union (EU) started enacting a series of directives that affect all member states, including the Data Protection Directive and Directive on Privacy and Electronic Communications.
- Australia doesn’t have these same laws, but a recent study, reported on by the University of Canberra, indicates that the laws may be coming soon.
- New Zealand is set to overhaul its privacy laws through the course of 2012 and beyond.
- Wikipedia page on security breach notification laws
- Wikipedia page on the Directive on Privacy and Electronic Communications
- Wikipedia page on the protection of personal data
- UK Information Commissioner’s Office page on privacy security breaches
- Compliance Focus page on Privacy Breach Notification Laws
- California bulks up security breach notification requirements
- Australians demand online data breach notification
- Privacy crimes make data breach notifications mandatory
- Privacy laws to be overhauled in NZ
- Information on the NZ Government’s review of privacy laws.
You may be thinking this is just for California and it doesn’t relate to you because you live in Massachussets or Washington. Or maybe you live outside the US, in Canada, Australia, New Zealand, the United Kingdom or elsewhere.
But you’d be wrong. If you’re outside the US, the situation’s potentially even tougher:
It’s fair to say that if all these jurisdictions are moving in the same direction, a number of the others will likely follow suit—if they’re not already.
What can you do?
While this is all concerning stuff, there are steps that you can take—from simple, right through to complex—to protect your site from security breaches. Perkins Thompson suggest a set of steps that we can use as a basis of what to do to put our blogs in a good position.
Adopt “commercially reasonable” data security measures
Be aware of security breaches for bloggers by staying up to date on current events. Look for simple methods, such as using plugins that help protect your user accounts whether on your blog or on your organization’s computer network.
Secure physical access to mobile computing and mobile storage devices
Don’t leave your laptops and phones lying around, as you likely have sensitive information on them. We all slip from time to time, so make sure you have a good password protecting access to them. Consider using 1Password which provides secure protection of your passwords, accounts and sensitive information.
Limit the scope and duration of data retention
Do you need to keep all the information that you have? How long do you need to keep it for? If it’s no longer required, then consider getting rid of it.
Develop procedures to monitor and audit data security in your company
Whether your business is big or small, find a security vendor or consultant who you can talk with to assess your security needs. If necessary, consider a security audit.
Train and educate your employees, and follow your company’s data security policy or agreement
Ensure that all of your staff know that security is serious and are following the policies. Security doesn’t need to be draconian, but a normal matter of course.
Carefully select third-party providers
Which services do you use as part of your day-to-day operations? Do you use Harvest, FreshBooks, LinkedIn, Facebook or Twitter? What’s their approach and history of security breaches?
Consider cyber-insurance policies
Though insurance can be an “after the fact” type of approach, it can be a good to have in case something goes wrong. UK Insurance broker, Chris Knight, has this to say:
“Many businesses do not fully understand the risks associated with using the internet, but it is now possible to purchase cover for Cyber Liability and Privacy Breach Notification.
“These provide cover for legal action taken against the business in the cyber world and the cost of notification of any breach that may occur.”
Develop procedures to quickly respond to a data security breach
Even the best companies and organisations can be hacked—it’s a fact and we know it. But users often respond in a positive way despite this if the company responds in both a timely and professional manner. Consider implementing a set of procedures to respond to such a situation occurring on your blog.
How secure is your blog?
I appreciate that I may have caused a lot of concern and alarm by addressing this topic, and in part I apologise. But it’s better to be educated and prepared than to be caught off guard and fighting fires.
Are you prepared for a data breach to your site? Do you have adequate measures in place to respond should a breach occur? Share your thoughts in the comments. And if you’re keen to find out more, have a look at these resources.
Further reading
Matthew Setter is a freelance writer, technical editor and proofreader. His mission is to help businesses present their online message in an engaging and compelling way so they’re noticed and remembered.
This is one of those topics that is not on the top of my mind, but extremely important to know for the future.
I am blown away at the number of resources related to this topic though, I could spend the rest of my day reading all of it!
Thanks a bunch,
-Gabe
Hi Gabe,
It’s all quite interesting how the landscape for blogging is changing over time and potentially you could get lost up in keeping up with it all. Thanks for your feedback.
Some of the developments that are occurring on the web in terms of privacy are absolutely alarming. But, what can we do about it? You listed a few great ideas.
But, generally; there is very little we can do. If we have a relatively small site, we are unlikely to be targeted anyway. Great advice!
Hi David,
My aim here was to get the information out there and do hope that I’ve not given you, or anyone else, reason to be alarmed. Personally, I feel that, like most things, if we use common sense and act professionally, for the most part we should be fine. It’s always good to have an informed understanding. Thanks for taking the time to share your feedback.
Hi David,
I would avoid the mentality that a “small site is less likely to be targetted”; this reasoning doesn’t hold out, have a look at the verizon breach reports (http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf), the majority breaches occur with organisations of less than 100 staff.
The bad guys know that small operations don’t have resources that big companies have so they are seen as ‘soft’ targets.
-Daniel
(PS. Hey Setter, long time)
Hi Dan,
thanks for the link to the information and yes it has been a long time indeed. Can always trust you to have a lot of detailed information. But there’s the opposing point that, is it worth going after a small site? Is it much of a prize to spend the time and effort on?
Informative article for a newbies like me,Thanks.
Hey Albert, absolute pleasure mate. Happy to help.
I will be honest and admi that the privacy laws effecting us at the moment are pretty much frying my brain, I’m just continuing as I normally do and hope I’m not breaking any laws.
Hey Dean,
there’s loads of good information, I just hope I’ve not put you in to information overload.
Matt
Hi Matthews!
Great Post and I am running my blog as normally but I keep updating WordPress or if I am using Genesis Framework up dating them when updation is available and I am sure that’s enough and I am not breaking any laws.
Thanks for sharing great Post :-)
No problems Ayaz. Keeping up to date is always one of the best things you can do.
Yes agree, privacy is a hidden danger for small internet businesses and large ones
I’d say that a healthy approach, especially given Daniel’s point before, is that irrespective of size, keep educating yourself and your team and do your best to stay on top of the blogging landscape – without getting paranoid about it.
Very informative….
Hi Matthew I have just recently noticed another site has stolen my content even I have a privacy statement on the bottom of my blog. Not only that they have used my name and used the content for their front page which is ranking on page 1 they have posted it as their own content….What can I do about this?